Staff directories, user accounts and personal profiles for the Apostrophe content management system


apostrophe-people, together with apostrophe-groups, adds staff directories, user accounts and user profiles to the Apostrophe content management system.

A "person" is anyone who can either log in, be seen in a personnel directory, or both. "Users" are simply people who have the "login" box checked and a username and password configured. This follows the MongoDB philosophy of avoiding gratuitous joins between users, profiles, etc.

People can be centrally managed via the "People" dropdown, and groups of people created via the "Groups" dropdown.

In addition, one can create a "directory page" to display a directory of people. For now people are displayed on such pages based on shared tags, however we plan to also give each user an affinity for a specific "home" page allowing for easier management of users.

See the a2 sandbox for a functional example.

You'll want to install both the people module and the groups module to use this functionality successfully. Again, see the a2 sandbox for a working example.

The directory page presents a directory of groups, which commonly represent departments within an organization. Only groups which are published are shown here.

When a site visitor clicks on a group, they are then shown a list of people in that group. Only people who have the "published" selector set to "Yes" are shown here.

TODO: provide an option to skip straight to a list of people throughout the organization, and make it easy for that to be the default behavior, as on many sites a public list of groups is overkill or secondary to the main alphabetical list of staff members.

The directory page is implemented by the apostrophe-groups module. You'll want to subclass that module, overriding the index.html template and perhaps extending or overriding the show and isShow methods, or overriding the dispatch method entirely, as your needs dictate. Currently the people module is able to use the dispatch method of the snippets module without modification for the main list of gropus. This will likely change soon when we introduce ways to skip directly to a list of all people in the organization.

This is similar to the way the apostrophe-events module subclasses and overrides portions of the apostrophe-snippets module.

People receive basic permissions such as "guest," "edit" and "admin" via groups that have been given those permissions.

People who are members of groups for which the "Admin" box has been checked can always view everything, whether it is published or not.

People who are members of groups for which the "Guest" or "Editor" box hs been checked has been checked can potentially view additional content:

  • Guests and editors can view any page for which "Login Required" has been chosen from the "who can view this?" section of "Page Settings."

  • Guests and editors are candidates to view pages for which "Certain People" has been chosen from the "who can view this?" section of "Page Settings." An admin must grant them that permission as an individual or as a group after selecting "Certain People."

  • In addition, editors can always view content they have permission to edit, as described below.

Similarly, people who are members of groups for which the "Editor" box is checked become candidates to edit pages. Someone with admin permissions can then click "Who can edit this?" under "Page Settings" and enter that person or group's name to add them to the list of editors for that particular page.

Those with editing permissions can also create and edit their own blog posts, events and so forth (but not people or groups). They cannot edit blog posts and events created by others (TODO: allow permissions to be granted for this in the same way edit permissions for pages are granted).

Only people who are members of groups for which the "Admin" box is checked, and any hard-coded admin users in app.js, are permitted to carry out admin actions such as:

  • Adding people
  • Adding groups
  • Changing and edit and view permissions.

Many organizations have their own way of ranking people within groups or departments that must be maintained. By default, the members of a group are displayed alphabetically. However, you can switch to manual ordering by passing a simple option when initializing the groups module. Here's an example from app.js:

function initAposGroups(callback) {
  groups = require('apostrophe-groups')({
    ... other options ...
    peopleSortable: true
  }, ... etc ...);

Once you enable this option, you will be able to drag and drop people to reorder them in the list of persons that are members of each group.

Users may reset their password via email confirmation, as long as they have a valid email address and a link to "/apos-people/reset-request" is present in the login.html template, which is true in current versions of the sandbox.

However for those emails to be delivered you will need to set a valid "from" address when configuring the people module. Its options must include:

      email: {
        from: "Some Person <someone@somewhere.com>"

There is a default "from" address but sendmail will complain that it is not valid and users will see an error. So make sure you configure that.

All users who belong to a group with at least "guest" access may edit their profile as long as you include the relevant markup in outerLayout.html (see the sandbox for an example).

You may choose the fields that are editable by the end user via the profileFields option. The first name, last name, and title fields are independent of the schema, but if you do not present them in the form they will not be overwritten when the profile is saved. You can customize the form by copying profileEditor.html from the people module to lib/modules/apostrophe-people/profileEditor.html.

By default, the fields will remain in their usual tab groups within the profile editor, although any empty tabs will be discarded. If you wish to specify a different grouping, use the profileGroupFields option, which works exactly like groupFields.

People may apply for accounts with login privileges if you set the apply option to true when configuring the apostrophe-people module.

The applyFields option determines the fields that people are invited to fill out when they apply for an account. The following list is the default, and you should specify at least these fields. You may specify additional fields that exist in your schema (see addFields).

[ 'username', 'password', 'firstName', 'lastName', 'title', 'email' ]

The above fields are required and the user will not be permitted to complete the application form without supplying them.

The apply.html template is used to present the application form.

You can trigger the application form by giving any link a data-people-apply attribute. You can place those wherever it makes sense in your application:

<a href="#" data-people-apply>Sign Up For An Account</a>

By default the user is required to confirm their account by clicking on a link in an email generated when they complete the form.

Confirmation emails are generated via the applyEmail.html and applyEmail.txt templates. The subject lines can be overridden via the applySubject option.

If you don't mind a higher rate of spam accounts, you may opt out of email confirmation with:

applyConfirm: false

When users create accounts, by default they are added to a group called "Guests" with the single permission "guest". This account is created if it does not yet exist. If it does already exist, its permissions are left as-is.

You may change the group name:

applyGroup: guitarists

Or the group's permissions:

applyGroupPermissions: [ 'guest', 'submit-event', 'submit-blog-post' ]

Fine-grained permissions are now available on a per-group basis for events, blog posts and so on; in fact, any new snippet instance type you define will automatically have three permissions available to be assigned to groups:

submit-blog-post: can submit a blog post but cannot mark it published edit-blog-post: can submit blog posts and publish them, but not edit other people's admin-blog-post: can edit, publish and remove any blog post

This is very helpful to cut down on confusion that stems from giving too many people the admin permission.

The "edit" permission implies all "edit-" permissions, and the "admin" permission implies all "admin-" permissions.

You can also set up links that give the user a choice between creating an account and logging into an existing account. And you can set a URL to be accessed when the user has finished logging in, one way or the other, via the data-after-login attribute:

<a href="#" data-people-login-or-apply data-after-login="/">Log in

first, then go home

Of course, sometimes what you really want is to force the user to log in or sign up, then trigger something that would normally be accessed by just clicking a button on a particular page.

So we've added a way to trigger a click event on an element in a page after loading it. (This is actually a core Apostrophe module feature but it has special relevance here.)

Just end any URL with this:


And Apostrophe will look for an element with a data-my-button attribute and trigger a click event on it after loading the relevant page with an extra URL component to prevent caching.

my-button is just an example. Use your own attribute name.

Apostrophe will also scroll to ensure that element is visible.

This feature works well with the "data-after-login" attribute shown above.

You may want to mix this feature with the apostrophe-moderator module, which allows for easy management of user-submitted content. If so, make sure you add the appropriate permissions for the types that will support moderation, like this:

applyGroupPermissions: [ 'guest', 'submit-event', 'submit-blog-post' ]

Note the use of hyphenated names.

Now users who create accounts via the online application process will be able to immediately begin submitting and editing their own content, but will not be able to mark it as "published," and if you use the moderator module there will be an easy way for admins to filter and view the submitted content.

You'll notice that, by default, you're prompted for a job title for each person you add to the group. This information is accessible in templates this way:


If you don't want this feature, you can disable it with the peopleExtras option when configuring the apostrophe-groups module:

peopleExtras: false

You can also specify an array of extra fields, replacing the usual job title field. The syntax is a subset of that supported by Apostrophe schemas. We recommend sticking to simple string and select field types here.

The relationship between people and groups is currently not an A2 join in the usual sense. We're not crazy about that, and we may migrate to using standard A2 joins and relationships in the future.

You may wish to take special action when a user has confirmed their account, or if you are not using the applyConfirm feature, when their account is first created.

You can do so by listening for the signupConfirmed event:

apos.on('signupConfirmed', function(person) {
  // do as you see fit with this person 

For instance you might use this feature to implement an additional level of confirmation by the administrator before manually adding the user to a privileged group.

If you are never interested in displaying a directory that nests people hierarchically within groups, and simply wish to display a directory of all of the people on the site, optionally filtered by tag, consider using the simplePages: true option. When this flag is in effect, a page of type people behaves just like any snippet index page.